GitHub user mg1986jp added a comment to the discussion: Airflow 3.0.6: "JWT token is not valid: Signature verification failed" when using SimpleAuthManager
The "JWT token is not valid: Signature verification failed" error with `SimpleAuthManager` is almost always caused by a **secret key mismatch between the API server and the webserver (or between processes)**. Here is the full diagnosis. ## Root cause Airflow 3.x uses JWT tokens signed with a secret key stored in `airflow.cfg` under `[api] secret_key` (or the legacy `[webserver] secret_key`). When you switch from FAB auth manager back to `SimpleAuthManager`, the previously generated `simple_auth_manager_passwords.json.generated` file may exist, but if the JWT signing key changed (or was regenerated), tokens signed by the old key fail verification. Additionally, if you are running the API server and the webserver as separate processes (or containers), they must share **the same `secret_key`**. If each process generates its own key on startup (the default when no key is set), tokens signed by one process are rejected by the other. ## Fix ### Step 1: Set an explicit, stable secret key In `airflow.cfg`: ```ini [api] secret_key = your-stable-secret-key-here ``` Or via environment variable: ```bash export AIRFLOW__API__SECRET_KEY="your-stable-secret-key-here" ``` Generate a key if you need one: ```bash python3 -c "import secrets; print(secrets.token_hex(32))" ``` ### Step 2: Delete the stale generated passwords file ```bash rm $AIRFLOW_HOME/simple_auth_manager_passwords.json.generated ``` Restart Airflow. It will regenerate the file with a fresh password that works with the current key. ### Step 3: If running multiple processes, ensure they all see the same key If API server and webserver are separate systemd units, Docker containers, or Kubernetes pods, the `AIRFLOW__API__SECRET_KEY` environment variable must be identical across all of them. ## Why this happened after reverting from FAB FAB auth manager sets its own session/signing key in different config keys. When you reverted, Airflow may have fallen back to auto-generating a new secret key on startup, invalidating all existing tokens — including the session cookie that the browser was sending. ## Confirming the fix After setting the key and restarting, open the UI in a fresh browser tab (not a restored session — clear cookies for the Airflow domain). Log in with the credentials from the newly regenerated `simple_auth_manager_passwords.json.generated`. You should no longer see the signature verification errors. GitHub link: https://github.com/apache/airflow/discussions/65971#discussioncomment-17058204 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected]
